From bd7506b9f548a7d07da127530da2b0a1b12ece8c Mon Sep 17 00:00:00 2001 From: Md Azam Date: Fri, 24 Feb 2023 09:17:35 -0400 Subject: [PATCH] Update OCSF network traffic mappings (#1332) --- .../json/ocsf_from_stix_map.json | 5 +-- .../json/stix_2_1/ocsf_from_stix_map.json | 5 +-- .../json/stix_2_1/to_stix_map.json | 17 ++++++--- .../stix_translation/json/to_stix_map.json | 17 ++++++--- .../stix_translation/transformers.py | 2 +- .../stix_translation/json/ocsf_results.json | 35 +++++++++++++++++-- .../test_aws_athena_json_to_stix.py | 15 ++++++-- .../test_aws_athena_stix_to_query.py | 3 +- 8 files changed, 79 insertions(+), 20 deletions(-) diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json index 32e0c5c12..d4b0be240 100644 --- a/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json +++ b/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json @@ -142,11 +142,12 @@ "extensions.'x-network-ext'.protocol_ver": [ "connection_info.protocol_ver" ], - "extensions.'x-network-ext'.tcp_flags": [ + "extensions.'tcp-ext'.src_flags_hex": [ "connection_info.tcp_flags" ], "protocols[*]": [ - "connection_info.protocol_num" + "connection_info.protocol_num", + "connection_info.protocol_ver_id" ], "src_byte_count": [ "traffic.bytes_out" diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json index 95ecfd457..40e29ae95 100644 --- a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json +++ b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json @@ -142,11 +142,12 @@ "extensions.'x-network-ext'.protocol_ver": [ "connection_info.protocol_ver" ], - "extensions.'x-network-ext'.tcp_flags": [ + "extensions.'tcp-ext'.src_flags_hex": [ "connection_info.tcp_flags" ], "protocols[*]": [ - "connection_info.protocol_num" + "connection_info.protocol_name", + "connection_info.protocol_ver_id" ], "src_byte_count": [ "traffic.bytes_out" diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json index 0c184915b..d81286844 100644 --- a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json @@ -2304,20 +2304,27 @@ }, "connection_info": { "protocol_num": { - "key": "network-traffic.protocol", + "key": "network-traffic.protocols", "object": "nt", - "transformer": "ProtocolNumToName" + "transformer": "ProtocolNumToName", + "group": true }, "protocol_name": { - "key": "network-traffic.protocol", + "key": "network-traffic.extensions.x-network-ext.protocol_name", "object": "nt" }, "tcp_flags": { - "key": "network-traffic.extensions.x-network-ext.tcp_flags", + "key": "network-traffic.extensions.tcp-ext.src_flags_hex", "object": "nt" }, "protocol_ver": { - "key": "network-traffic.extensions.x-network-ext.protocol_ver", + "key": "network-traffic.protocols", + "object": "nt", + "group": true, + "transformer": "ToLowercaseArray" + }, + "protocol_ver_id": { + "key": "network-traffic.extensions.x-network-ext.protocol_ver_id", "object": "nt" }, "direction": { diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json index 3755ea9de..32aaac254 100644 --- a/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json @@ -2308,20 +2308,27 @@ }, "connection_info": { "protocol_num": { - "key": "network-traffic.protocol", + "key": "network-traffic.protocols", "object": "nt", - "transformer": "ProtocolNumToName" + "transformer": "ProtocolNumToName", + "group": true }, "protocol_name": { - "key": "network-traffic.protocol", + "key": "network-traffic.extensions.x-network-ext.protocol_name", "object": "nt" }, "tcp_flags": { - "key": "network-traffic.extensions.x-network-ext.tcp_flags", + "key": "network-traffic.extensions.tcp-ext.src_flags_hex", "object": "nt" }, "protocol_ver": { - "key": "network-traffic.extensions.x-network-ext.protocol_ver", + "key": "network-traffic.protocols", + "object": "nt", + "group": true, + "transformer": "ToLowercaseArray" + }, + "protocol_ver_id": { + "key": "network-traffic.extensions.x-network-ext.protocol_ver_id", "object": "nt" }, "direction": { diff --git a/stix_shifter_modules/aws_athena/stix_translation/transformers.py b/stix_shifter_modules/aws_athena/stix_translation/transformers.py index b99d7b923..5a9ba97a1 100644 --- a/stix_shifter_modules/aws_athena/stix_translation/transformers.py +++ b/stix_shifter_modules/aws_athena/stix_translation/transformers.py @@ -24,6 +24,6 @@ def transform(protocol_decimal): for key, value in protocol_dict.items(): if str(protocol_decimal) == value: protocol = key - return protocol + return [protocol] except ValueError: LOGGER.error("Cannot convert protocol number to protocol name") \ No newline at end of file diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/json/ocsf_results.json b/stix_shifter_modules/aws_athena/tests/stix_translation/json/ocsf_results.json index d88752a68..b5c2a704e 100644 --- a/stix_shifter_modules/aws_athena/tests/stix_translation/json/ocsf_results.json +++ b/stix_shifter_modules/aws_athena/tests/stix_translation/json/ocsf_results.json @@ -23,9 +23,40 @@ } }, "ref_event_uid": "e12b3bc4-e1e3-11ab-22e1-de0b4d745bb1", + "connection_info": { + "boundary": "mentor lucia villa", + "direction": "Inbound", + "direction_id": 1, + "protocol_name": "tcp", + "protocol_num": 6, + "protocol_ver": "ipv4", + "protocol_ver_id": 4, + "tcp_flags": 85 + }, + "dst_endpoint": { + "hostname": "mirror.aero", + "instance_uid": "8fbaf31c-ad59-11ed-b661-0242ac110002", + "interface_name": "ll hourly lotus", + "interface_uid": "8fbaf81c-ad59-11ed-91ac-0242ac110002", + "ip": "63.71.92.147", + "port": 19984, + "svc_name": "norway lyrics survey", + "uid": "8fbafce0-ad59-11ed-bb7e-0242ac110002" + }, "src_endpoint": { - "ip": "1.1.2.2", - "uid": null + "hostname": "investor.gov", + "instance_uid": "8fbb31b0-ad59-11ed-a55e-0242ac110002", + "interface_name": "cow ebay curtis", + "interface_uid": "8fbb35ca-ad59-11ed-936c-0242ac110002", + "ip": "116.8.200.100", + "port": 36136, + "uid": "8fbb398a-ad59-11ed-8ba9-0242ac110002" + }, + "traffic": { + "bytes_in": 790742923, + "packets": 3901887417, + "packets_in": 4208942596, + "packets_out": 535302077 }, "resources": [ { diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py index dfdb19853..43103202d 100644 --- a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py +++ b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py @@ -463,7 +463,6 @@ def test_ocsf_translation_prop(self): result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) - assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] @@ -483,6 +482,7 @@ def test_ocsf_translation_prop(self): assert 'objects' in observed_data objects = observed_data['objects'] + user_account = TestAwsResultsToStix.get_first_of_type(objects.values(), 'user-account') assert user_account is not None, 'user-account object type not found' assert user_account.keys() == {'type', 'extensions', 'display_name', 'user_id'} @@ -490,8 +490,19 @@ def test_ocsf_translation_prop(self): assert user_account['user_id'] == '011222333553' assert user_account['display_name'] == 'backup' + network_traffic = TestAwsResultsToStix.get_first_of_type(objects.values(), 'network-traffic') + assert network_traffic is not None, 'network-traffic object type not found' + assert network_traffic.keys() == {'type', 'extensions', 'protocols', 'dst_ref', 'dst_port', 'src_ref', 'src_port', 'dst_byte_count', 'dst_packets', 'src_packets'} + assert network_traffic['protocols'] == ['tcp', 'ipv4'] + assert network_traffic['src_port'] == 36136 + assert network_traffic['dst_port'] == 19984 + assert network_traffic['src_packets'] == 535302077 + assert network_traffic['dst_packets'] == 4208942596 + tcp_ext = network_traffic.get('extensions')['tcp-ext'] + assert tcp_ext['src_flags_hex'] == 85 + x_ibm_finding = TestAwsResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding') assert x_ibm_finding is not None, 'x-ibm-finding object type not found' - assert x_ibm_finding.keys() == {'type', 'time_observed','src_ip_ref', 'severity'} + assert x_ibm_finding.keys() == {'type', 'time_observed', 'dst_ip_ref', 'src_ip_ref', 'severity'} assert x_ibm_finding['time_observed'] == '2020-10-07T08:08:37.000Z' assert x_ibm_finding['severity'] == 0 diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py index 0cd15a874..a6b953de0 100644 --- a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py +++ b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py @@ -73,7 +73,8 @@ def test_network_protocol(self): "vpcflow": "(CAST(protocol AS varchar) IN ('6', '9') AND start BETWEEN 1601541790 AND 1604054590)" }, { - "ocsf": "(CAST(connection_info.protocol_num AS varchar) IN ('6', '9') AND time BETWEEN 1601541790000 AND 1604054590000)" + "ocsf": "((CAST(connection_info.protocol_num AS varchar) IN ('6', '9') OR " + "CAST(connection_info.protocol_ver_id AS varchar) IN ('6', '9')) AND time BETWEEN 1601541790000 AND 1604054590000)" } ] print(json.dumps(query, indent=4))